<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>User Account, Data Source DS0002 | MITRE ATT&CK&reg;</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <!-- !versions banner! --> <div class="container-fluid banner-message"> ATT&CK v16 has been released! Check out the <a href='https://medium.com/mitre-attack/attack-v16-561c76af94cf'>blog post</a> for more information. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="v-tab" role="tablist" aria-orientation="vertical" class="h-100"> <div class="sidenav-wrapper"> <div class="heading" data-toggle="collapse" data-target="#sidebar-collapse" id="v-home-tab" aria-expanded="true" aria-controls="#sidebar-collapse" aria-selected="false">DATA SOURCES <i class="fa-solid fa-fw fa-chevron-down"></i> <i class="fa-solid fa-fw fa-chevron-up"></i> </div> <div class="checkbox-div" id="v-home-tab" aria-selected="false"> <div class="custom-control custom-switch"> <input type="checkbox" class="custom-control-input" id="enterpriseSwitch" onchange="filterTables(enterpriseSwitch, icsSwitch)"> <label class="custom-control-label" for="enterpriseSwitch">Enterprise</label> </div> <div class="custom-control custom-switch"> <input type="checkbox" class="custom-control-input" id="mobileSwitch" onchange="filterTables(mobileSwitch, enterpriseSwitch)"> <label class="custom-control-label" for="mobileSwitch">Mobile</label> </div> <div class="custom-control custom-switch"> <input type="checkbox" class="custom-control-input" id="icsSwitch" onchange="filterTables(icsSwitch, enterpriseSwitch)"> <label class="custom-control-label" for="icsSwitch">ICS</label> </div> </div> <br class="br-mobile"> <div class="sidenav-list collapse show" id="sidebar-collapse" aria-labelledby="v-home-tab"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026"> <a href="/datasources/DS0026/"> Active Directory </a> <div class="expand-button collapsed" id="DS0026-header" data-toggle="collapse" data-target="#DS0026-body" aria-expanded="false" aria-controls="#DS0026-body"></div> </div> <div class="sidenav-body collapse" id="DS0026-body" aria-labelledby="DS0026-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Credential Request"> <a href="/datasources/DS0026/#Active%20Directory%20Credential%20Request"> Active Directory Credential Request </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Object Access"> <a href="/datasources/DS0026/#Active%20Directory%20Object%20Access"> Active Directory Object Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Object Creation"> <a href="/datasources/DS0026/#Active%20Directory%20Object%20Creation"> Active Directory Object Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Object Deletion"> <a href="/datasources/DS0026/#Active%20Directory%20Object%20Deletion"> Active Directory Object Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Object Modification"> <a href="/datasources/DS0026/#Active%20Directory%20Object%20Modification"> Active Directory Object Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0015"> <a href="/datasources/DS0015/"> Application Log </a> <div class="expand-button collapsed" id="DS0015-header" data-toggle="collapse" data-target="#DS0015-body" aria-expanded="false" aria-controls="#DS0015-body"></div> </div> <div class="sidenav-body collapse" id="DS0015-body" aria-labelledby="DS0015-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0015-Application Log Content"> <a href="/datasources/DS0015/#Application%20Log%20Content"> Application Log Content </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041"> <a href="/datasources/DS0041/"> Application Vetting </a> <div class="expand-button collapsed" id="DS0041-header" data-toggle="collapse" data-target="#DS0041-body" aria-expanded="false" aria-controls="#DS0041-body"></div> </div> <div class="sidenav-body collapse" id="DS0041-body" aria-labelledby="DS0041-header"> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-API Calls"> <a href="/datasources/DS0041/#API%20Calls"> API Calls </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-Application Assets"> <a href="/datasources/DS0041/#Application%20Assets"> Application Assets </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-Network Communication"> <a href="/datasources/DS0041/#Network%20Communication"> Network Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-Permissions Requests"> <a href="/datasources/DS0041/#Permissions%20Requests"> Permissions Requests </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-Protected Configuration"> <a href="/datasources/DS0041/#Protected%20Configuration"> Protected Configuration </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0039"> <a href="/datasources/DS0039/"> Asset </a> <div class="expand-button collapsed" id="DS0039-header" data-toggle="collapse" data-target="#DS0039-body" aria-expanded="false" aria-controls="#DS0039-body"></div> </div> <div class="sidenav-body collapse" id="DS0039-body" aria-labelledby="DS0039-header"> <div class="sidenav"> <div class="sidenav-head ics " id="DS0039-Asset Inventory"> <a href="/datasources/DS0039/#Asset%20Inventory"> Asset Inventory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0039-Software"> <a href="/datasources/DS0039/#Software"> Software </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0037"> <a href="/datasources/DS0037/"> Certificate </a> <div class="expand-button collapsed" id="DS0037-header" data-toggle="collapse" data-target="#DS0037-body" aria-expanded="false" aria-controls="#DS0037-body"></div> </div> <div class="sidenav-body collapse" id="DS0037-body" aria-labelledby="DS0037-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0037-Certificate Registration"> <a href="/datasources/DS0037/#Certificate%20Registration"> Certificate Registration </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025"> <a href="/datasources/DS0025/"> Cloud Service </a> <div class="expand-button collapsed" id="DS0025-header" data-toggle="collapse" data-target="#DS0025-body" aria-expanded="false" aria-controls="#DS0025-body"></div> </div> <div class="sidenav-body collapse" id="DS0025-body" aria-labelledby="DS0025-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025-Cloud Service Disable"> <a href="/datasources/DS0025/#Cloud%20Service%20Disable"> Cloud Service Disable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025-Cloud Service Enumeration"> <a href="/datasources/DS0025/#Cloud%20Service%20Enumeration"> Cloud Service Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025-Cloud Service Metadata"> <a href="/datasources/DS0025/#Cloud%20Service%20Metadata"> Cloud Service Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025-Cloud Service Modification"> <a href="/datasources/DS0025/#Cloud%20Service%20Modification"> Cloud Service Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010"> <a href="/datasources/DS0010/"> Cloud Storage </a> <div class="expand-button collapsed" id="DS0010-header" data-toggle="collapse" data-target="#DS0010-body" aria-expanded="false" aria-controls="#DS0010-body"></div> </div> <div class="sidenav-body collapse" id="DS0010-body" aria-labelledby="DS0010-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Access"> <a href="/datasources/DS0010/#Cloud%20Storage%20Access"> Cloud Storage Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Creation"> <a href="/datasources/DS0010/#Cloud%20Storage%20Creation"> Cloud Storage Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Deletion"> <a href="/datasources/DS0010/#Cloud%20Storage%20Deletion"> Cloud Storage Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Enumeration"> <a href="/datasources/DS0010/#Cloud%20Storage%20Enumeration"> Cloud Storage Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Metadata"> <a href="/datasources/DS0010/#Cloud%20Storage%20Metadata"> Cloud Storage Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Modification"> <a href="/datasources/DS0010/#Cloud%20Storage%20Modification"> Cloud Storage Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0017"> <a href="/datasources/DS0017/"> Command </a> <div class="expand-button collapsed" id="DS0017-header" data-toggle="collapse" data-target="#DS0017-body" aria-expanded="false" aria-controls="#DS0017-body"></div> </div> <div class="sidenav-body collapse" id="DS0017-body" aria-labelledby="DS0017-header"> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0017-Command Execution"> <a href="/datasources/DS0017/#Command%20Execution"> Command Execution </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0032"> <a href="/datasources/DS0032/"> Container </a> <div class="expand-button collapsed" id="DS0032-header" data-toggle="collapse" data-target="#DS0032-body" aria-expanded="false" aria-controls="#DS0032-body"></div> </div> <div class="sidenav-body collapse" id="DS0032-body" aria-labelledby="DS0032-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0032-Container Creation"> <a href="/datasources/DS0032/#Container%20Creation"> Container Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0032-Container Enumeration"> <a href="/datasources/DS0032/#Container%20Enumeration"> Container Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0032-Container Start"> <a href="/datasources/DS0032/#Container%20Start"> Container Start </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0038"> <a href="/datasources/DS0038/"> Domain Name </a> <div class="expand-button collapsed" id="DS0038-header" data-toggle="collapse" data-target="#DS0038-body" aria-expanded="false" aria-controls="#DS0038-body"></div> </div> <div class="sidenav-body collapse" id="DS0038-body" aria-labelledby="DS0038-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0038-Active DNS"> <a href="/datasources/DS0038/#Active%20DNS"> Active DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0038-Domain Registration"> <a href="/datasources/DS0038/#Domain%20Registration"> Domain Registration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0038-Passive DNS"> <a href="/datasources/DS0038/#Passive%20DNS"> Passive DNS </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0016"> <a href="/datasources/DS0016/"> Drive </a> <div class="expand-button collapsed" id="DS0016-header" data-toggle="collapse" data-target="#DS0016-body" aria-expanded="false" aria-controls="#DS0016-body"></div> </div> <div class="sidenav-body collapse" id="DS0016-body" aria-labelledby="DS0016-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0016-Drive Access"> <a href="/datasources/DS0016/#Drive%20Access"> Drive Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0016-Drive Creation"> <a href="/datasources/DS0016/#Drive%20Creation"> Drive Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0016-Drive Modification"> <a href="/datasources/DS0016/#Drive%20Modification"> Drive Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0027"> <a href="/datasources/DS0027/"> Driver </a> <div class="expand-button collapsed" id="DS0027-header" data-toggle="collapse" data-target="#DS0027-body" aria-expanded="false" aria-controls="#DS0027-body"></div> </div> <div class="sidenav-body collapse" id="DS0027-body" aria-labelledby="DS0027-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0027-Driver Load"> <a href="/datasources/DS0027/#Driver%20Load"> Driver Load </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0027-Driver Metadata"> <a href="/datasources/DS0027/#Driver%20Metadata"> Driver Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022"> <a href="/datasources/DS0022/"> File </a> <div class="expand-button collapsed" id="DS0022-header" data-toggle="collapse" data-target="#DS0022-body" aria-expanded="false" aria-controls="#DS0022-body"></div> </div> <div class="sidenav-body collapse" id="DS0022-body" aria-labelledby="DS0022-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Access"> <a href="/datasources/DS0022/#File%20Access"> File Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Creation"> <a href="/datasources/DS0022/#File%20Creation"> File Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Deletion"> <a href="/datasources/DS0022/#File%20Deletion"> File Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Metadata"> <a href="/datasources/DS0022/#File%20Metadata"> File Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Modification"> <a href="/datasources/DS0022/#File%20Modification"> File Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018"> <a href="/datasources/DS0018/"> Firewall </a> <div class="expand-button collapsed" id="DS0018-header" data-toggle="collapse" data-target="#DS0018-body" aria-expanded="false" aria-controls="#DS0018-body"></div> </div> <div class="sidenav-body collapse" id="DS0018-body" aria-labelledby="DS0018-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018-Firewall Disable"> <a href="/datasources/DS0018/#Firewall%20Disable"> Firewall Disable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018-Firewall Enumeration"> <a href="/datasources/DS0018/#Firewall%20Enumeration"> Firewall Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018-Firewall Metadata"> <a href="/datasources/DS0018/#Firewall%20Metadata"> Firewall Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018-Firewall Rule Modification"> <a href="/datasources/DS0018/#Firewall%20Rule%20Modification"> Firewall Rule Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0001"> <a href="/datasources/DS0001/"> Firmware </a> <div class="expand-button collapsed" id="DS0001-header" data-toggle="collapse" data-target="#DS0001-body" aria-expanded="false" aria-controls="#DS0001-body"></div> </div> <div class="sidenav-body collapse" id="DS0001-body" aria-labelledby="DS0001-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0001-Firmware Modification"> <a href="/datasources/DS0001/#Firmware%20Modification"> Firmware Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0036"> <a href="/datasources/DS0036/"> Group </a> <div class="expand-button collapsed" id="DS0036-header" data-toggle="collapse" data-target="#DS0036-body" aria-expanded="false" aria-controls="#DS0036-body"></div> </div> <div class="sidenav-body collapse" id="DS0036-body" aria-labelledby="DS0036-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0036-Group Enumeration"> <a href="/datasources/DS0036/#Group%20Enumeration"> Group Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0036-Group Metadata"> <a href="/datasources/DS0036/#Group%20Metadata"> Group Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0036-Group Modification"> <a href="/datasources/DS0036/#Group%20Modification"> Group Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007"> <a href="/datasources/DS0007/"> Image </a> <div class="expand-button collapsed" id="DS0007-header" data-toggle="collapse" data-target="#DS0007-body" aria-expanded="false" aria-controls="#DS0007-body"></div> </div> <div class="sidenav-body collapse" id="DS0007-body" aria-labelledby="DS0007-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007-Image Creation"> <a href="/datasources/DS0007/#Image%20Creation"> Image Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007-Image Deletion"> <a href="/datasources/DS0007/#Image%20Deletion"> Image Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007-Image Metadata"> <a href="/datasources/DS0007/#Image%20Metadata"> Image Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007-Image Modification"> <a href="/datasources/DS0007/#Image%20Modification"> Image Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030"> <a href="/datasources/DS0030/"> Instance </a> <div class="expand-button collapsed" id="DS0030-header" data-toggle="collapse" data-target="#DS0030-body" aria-expanded="false" aria-controls="#DS0030-body"></div> </div> <div class="sidenav-body collapse" id="DS0030-body" aria-labelledby="DS0030-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Creation"> <a href="/datasources/DS0030/#Instance%20Creation"> Instance Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Deletion"> <a href="/datasources/DS0030/#Instance%20Deletion"> Instance Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Enumeration"> <a href="/datasources/DS0030/#Instance%20Enumeration"> Instance Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Metadata"> <a href="/datasources/DS0030/#Instance%20Metadata"> Instance Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Modification"> <a href="/datasources/DS0030/#Instance%20Modification"> Instance Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Start"> <a href="/datasources/DS0030/#Instance%20Start"> Instance Start </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Stop"> <a href="/datasources/DS0030/#Instance%20Stop"> Instance Stop </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0035"> <a href="/datasources/DS0035/"> Internet Scan </a> <div class="expand-button collapsed" id="DS0035-header" data-toggle="collapse" data-target="#DS0035-body" aria-expanded="false" aria-controls="#DS0035-body"></div> </div> <div class="sidenav-body collapse" id="DS0035-body" aria-labelledby="DS0035-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0035-Response Content"> <a href="/datasources/DS0035/#Response%20Content"> Response Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0035-Response Metadata"> <a href="/datasources/DS0035/#Response%20Metadata"> Response Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0008"> <a href="/datasources/DS0008/"> Kernel </a> <div class="expand-button collapsed" id="DS0008-header" data-toggle="collapse" data-target="#DS0008-body" aria-expanded="false" aria-controls="#DS0008-body"></div> </div> <div class="sidenav-body collapse" id="DS0008-body" aria-labelledby="DS0008-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0008-Kernel Module Load"> <a href="/datasources/DS0008/#Kernel%20Module%20Load"> Kernel Module Load </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0028"> <a href="/datasources/DS0028/"> Logon Session </a> <div class="expand-button collapsed" id="DS0028-header" data-toggle="collapse" data-target="#DS0028-body" aria-expanded="false" aria-controls="#DS0028-body"></div> </div> <div class="sidenav-body collapse" id="DS0028-body" aria-labelledby="DS0028-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0028-Logon Session Creation"> <a href="/datasources/DS0028/#Logon%20Session%20Creation"> Logon Session Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0028-Logon Session Metadata"> <a href="/datasources/DS0028/#Logon%20Session%20Metadata"> Logon Session Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0004"> <a href="/datasources/DS0004/"> Malware Repository </a> <div class="expand-button collapsed" id="DS0004-header" data-toggle="collapse" data-target="#DS0004-body" aria-expanded="false" aria-controls="#DS0004-body"></div> </div> <div class="sidenav-body collapse" id="DS0004-body" aria-labelledby="DS0004-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0004-Malware Content"> <a href="/datasources/DS0004/#Malware%20Content"> Malware Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0004-Malware Metadata"> <a href="/datasources/DS0004/#Malware%20Metadata"> Malware Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0011"> <a href="/datasources/DS0011/"> Module </a> <div class="expand-button collapsed" id="DS0011-header" data-toggle="collapse" data-target="#DS0011-body" aria-expanded="false" aria-controls="#DS0011-body"></div> </div> <div class="sidenav-body collapse" id="DS0011-body" aria-labelledby="DS0011-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0011-Module Load"> <a href="/datasources/DS0011/#Module%20Load"> Module Load </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0023"> <a href="/datasources/DS0023/"> Named Pipe </a> <div class="expand-button collapsed" id="DS0023-header" data-toggle="collapse" data-target="#DS0023-body" aria-expanded="false" aria-controls="#DS0023-body"></div> </div> <div class="sidenav-body collapse" id="DS0023-body" aria-labelledby="DS0023-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0023-Named Pipe Metadata"> <a href="/datasources/DS0023/#Named%20Pipe%20Metadata"> Named Pipe Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0033"> <a href="/datasources/DS0033/"> Network Share </a> <div class="expand-button collapsed" id="DS0033-header" data-toggle="collapse" data-target="#DS0033-body" aria-expanded="false" aria-controls="#DS0033-body"></div> </div> <div class="sidenav-body collapse" id="DS0033-body" aria-labelledby="DS0033-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0033-Network Share Access"> <a href="/datasources/DS0033/#Network%20Share%20Access"> Network Share Access </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0029"> <a href="/datasources/DS0029/"> Network Traffic </a> <div class="expand-button collapsed" id="DS0029-header" data-toggle="collapse" data-target="#DS0029-body" aria-expanded="false" aria-controls="#DS0029-body"></div> </div> <div class="sidenav-body collapse" id="DS0029-body" aria-labelledby="DS0029-header"> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0029-Network Connection Creation"> <a href="/datasources/DS0029/#Network%20Connection%20Creation"> Network Connection Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0029-Network Traffic Content"> <a href="/datasources/DS0029/#Network%20Traffic%20Content"> Network Traffic Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0029-Network Traffic Flow"> <a href="/datasources/DS0029/#Network%20Traffic%20Flow"> Network Traffic Flow </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0040"> <a href="/datasources/DS0040/"> Operational Databases </a> <div class="expand-button collapsed" id="DS0040-header" data-toggle="collapse" data-target="#DS0040-body" aria-expanded="false" aria-controls="#DS0040-body"></div> </div> <div class="sidenav-body collapse" id="DS0040-body" aria-labelledby="DS0040-header"> <div class="sidenav"> <div class="sidenav-head ics " id="DS0040-Device Alarm"> <a href="/datasources/DS0040/#Device%20Alarm"> Device Alarm </a> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0040-Process History/Live Data"> <a href="/datasources/DS0040/#Process%20History/Live%20Data"> Process History/Live Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0040-Process/Event Alarm"> <a href="/datasources/DS0040/#Process/Event%20Alarm"> Process/Event Alarm </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0021"> <a href="/datasources/DS0021/"> Persona </a> <div class="expand-button collapsed" id="DS0021-header" data-toggle="collapse" data-target="#DS0021-body" aria-expanded="false" aria-controls="#DS0021-body"></div> </div> <div class="sidenav-body collapse" id="DS0021-body" aria-labelledby="DS0021-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0021-Social Media"> <a href="/datasources/DS0021/#Social%20Media"> Social Media </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0014"> <a href="/datasources/DS0014/"> Pod </a> <div class="expand-button collapsed" id="DS0014-header" data-toggle="collapse" data-target="#DS0014-body" aria-expanded="false" aria-controls="#DS0014-body"></div> </div> <div class="sidenav-body collapse" id="DS0014-body" aria-labelledby="DS0014-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0014-Pod Creation"> <a href="/datasources/DS0014/#Pod%20Creation"> Pod Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0014-Pod Enumeration"> <a href="/datasources/DS0014/#Pod%20Enumeration"> Pod Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0014-Pod Modification"> <a href="/datasources/DS0014/#Pod%20Modification"> Pod Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0009"> <a href="/datasources/DS0009/"> Process </a> <div class="expand-button collapsed" id="DS0009-header" data-toggle="collapse" data-target="#DS0009-body" aria-expanded="false" aria-controls="#DS0009-body"></div> </div> <div class="sidenav-body collapse" id="DS0009-body" aria-labelledby="DS0009-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0009-OS API Execution"> <a href="/datasources/DS0009/#OS%20API%20Execution"> OS API Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0009-Process Access"> <a href="/datasources/DS0009/#Process%20Access"> Process Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0009-Process Creation"> <a href="/datasources/DS0009/#Process%20Creation"> Process Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0009-Process Metadata"> <a href="/datasources/DS0009/#Process%20Metadata"> Process Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0009-Process Modification"> <a href="/datasources/DS0009/#Process%20Modification"> Process Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0009-Process Termination"> <a href="/datasources/DS0009/#Process%20Termination"> Process Termination </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0003"> <a href="/datasources/DS0003/"> Scheduled Job </a> <div class="expand-button collapsed" id="DS0003-header" data-toggle="collapse" data-target="#DS0003-body" aria-expanded="false" aria-controls="#DS0003-body"></div> </div> <div class="sidenav-body collapse" id="DS0003-body" aria-labelledby="DS0003-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0003-Scheduled Job Creation"> <a href="/datasources/DS0003/#Scheduled%20Job%20Creation"> Scheduled Job Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0003-Scheduled Job Metadata"> <a href="/datasources/DS0003/#Scheduled%20Job%20Metadata"> Scheduled Job Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0003-Scheduled Job Modification"> <a href="/datasources/DS0003/#Scheduled%20Job%20Modification"> Scheduled Job Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0012"> <a href="/datasources/DS0012/"> Script </a> <div class="expand-button collapsed" id="DS0012-header" data-toggle="collapse" data-target="#DS0012-body" aria-expanded="false" aria-controls="#DS0012-body"></div> </div> <div class="sidenav-body collapse" id="DS0012-body" aria-labelledby="DS0012-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0012-Script Execution"> <a href="/datasources/DS0012/#Script%20Execution"> Script Execution </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile " id="DS0013"> <a href="/datasources/DS0013/"> Sensor Health </a> <div class="expand-button collapsed" id="DS0013-header" data-toggle="collapse" data-target="#DS0013-body" aria-expanded="false" aria-controls="#DS0013-body"></div> </div> <div class="sidenav-body collapse" id="DS0013-body" aria-labelledby="DS0013-header"> <div class="sidenav"> <div class="sidenav-head enterprise mobile " id="DS0013-Host Status"> <a href="/datasources/DS0013/#Host%20Status"> Host Status </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0019"> <a href="/datasources/DS0019/"> Service </a> <div class="expand-button collapsed" id="DS0019-header" data-toggle="collapse" data-target="#DS0019-body" aria-expanded="false" aria-controls="#DS0019-body"></div> </div> <div class="sidenav-body collapse" id="DS0019-body" aria-labelledby="DS0019-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0019-Service Creation"> <a href="/datasources/DS0019/#Service%20Creation"> Service Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0019-Service Metadata"> <a href="/datasources/DS0019/#Service%20Metadata"> Service Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0019-Service Modification"> <a href="/datasources/DS0019/#Service%20Modification"> Service Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020"> <a href="/datasources/DS0020/"> Snapshot </a> <div class="expand-button collapsed" id="DS0020-header" data-toggle="collapse" data-target="#DS0020-body" aria-expanded="false" aria-controls="#DS0020-body"></div> </div> <div class="sidenav-body collapse" id="DS0020-body" aria-labelledby="DS0020-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Creation"> <a href="/datasources/DS0020/#Snapshot%20Creation"> Snapshot Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Deletion"> <a href="/datasources/DS0020/#Snapshot%20Deletion"> Snapshot Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Enumeration"> <a href="/datasources/DS0020/#Snapshot%20Enumeration"> Snapshot Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Metadata"> <a href="/datasources/DS0020/#Snapshot%20Metadata"> Snapshot Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Modification"> <a href="/datasources/DS0020/#Snapshot%20Modification"> Snapshot Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head active enterprise ics " id="DS0002"> <a href="/datasources/DS0002/"> User Account </a> <div class="expand-button collapsed" id="DS0002-header" data-toggle="collapse" data-target="#DS0002-body" aria-expanded="false" aria-controls="#DS0002-body"></div> </div> <div class="sidenav-body collapse" id="DS0002-body" aria-labelledby="DS0002-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0002-User Account Authentication"> <a href="/datasources/DS0002/#User%20Account%20Authentication"> User Account Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0002-User Account Creation"> <a href="/datasources/DS0002/#User%20Account%20Creation"> User Account Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0002-User Account Deletion"> <a href="/datasources/DS0002/#User%20Account%20Deletion"> User Account Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0002-User Account Metadata"> <a href="/datasources/DS0002/#User%20Account%20Metadata"> User Account Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0002-User Account Modification"> <a href="/datasources/DS0002/#User%20Account%20Modification"> User Account Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0042"> <a href="/datasources/DS0042/"> User Interface </a> <div class="expand-button collapsed" id="DS0042-header" data-toggle="collapse" data-target="#DS0042-body" aria-expanded="false" aria-controls="#DS0042-body"></div> </div> <div class="sidenav-body collapse" id="DS0042-body" aria-labelledby="DS0042-header"> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0042-Permissions Request"> <a href="/datasources/DS0042/#Permissions%20Request"> Permissions Request </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0042-System Notifications"> <a href="/datasources/DS0042/#System%20Notifications"> System Notifications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0042-System Settings"> <a href="/datasources/DS0042/#System%20Settings"> System Settings </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034"> <a href="/datasources/DS0034/"> Volume </a> <div class="expand-button collapsed" id="DS0034-header" data-toggle="collapse" data-target="#DS0034-body" aria-expanded="false" aria-controls="#DS0034-body"></div> </div> <div class="sidenav-body collapse" id="DS0034-body" aria-labelledby="DS0034-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Creation"> <a href="/datasources/DS0034/#Volume%20Creation"> Volume Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Deletion"> <a href="/datasources/DS0034/#Volume%20Deletion"> Volume Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Enumeration"> <a href="/datasources/DS0034/#Volume%20Enumeration"> Volume Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Metadata"> <a href="/datasources/DS0034/#Volume%20Metadata"> Volume Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Modification"> <a href="/datasources/DS0034/#Volume%20Modification"> Volume Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0006"> <a href="/datasources/DS0006/"> Web Credential </a> <div class="expand-button collapsed" id="DS0006-header" data-toggle="collapse" data-target="#DS0006-body" aria-expanded="false" aria-controls="#DS0006-body"></div> </div> <div class="sidenav-body collapse" id="DS0006-body" aria-labelledby="DS0006-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0006-Web Credential Creation"> <a href="/datasources/DS0006/#Web%20Credential%20Creation"> Web Credential Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0006-Web Credential Usage"> <a href="/datasources/DS0006/#Web%20Credential%20Usage"> Web Credential Usage </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0024"> <a href="/datasources/DS0024/"> Windows Registry </a> <div class="expand-button collapsed" id="DS0024-header" data-toggle="collapse" data-target="#DS0024-body" aria-expanded="false" aria-controls="#DS0024-body"></div> </div> <div class="sidenav-body collapse" id="DS0024-body" aria-labelledby="DS0024-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0024-Windows Registry Key Access"> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Access"> Windows Registry Key Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0024-Windows Registry Key Creation"> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Creation"> Windows Registry Key Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0024-Windows Registry Key Deletion"> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Deletion"> Windows Registry Key Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0024-Windows Registry Key Modification"> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Modification"> Windows Registry Key Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0005"> <a href="/datasources/DS0005/"> WMI </a> <div class="expand-button collapsed" id="DS0005-header" data-toggle="collapse" data-target="#DS0005-body" aria-expanded="false" aria-controls="#DS0005-body"></div> </div> <div class="sidenav-body collapse" id="DS0005-body" aria-labelledby="DS0005-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0005-WMI Creation"> <a href="/datasources/DS0005/#WMI%20Creation"> WMI Creation </a> </div> </div> </div> </div> </div> </div> </div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/datasources/">Data Sources</a></li> <li class="breadcrumb-item">User Account</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> User Account </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p>A profile representing a user, device, service, or application used to authenticate and access resources</p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>DS0002 </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">&#9432;</span> </div> <div class="col-11 pl-0"> <span class="h5 card-title">Platforms:&nbsp;</span>Containers, IaaS, Identity Provider, Linux, Office Suite, SaaS, Windows, macOS </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="A description of where the data source may be physically collected (ex: Host, Network, Cloud Control Plane, etc.)">&#9432;</span> </div> <div class="col-11 pl-0"> <span class="h5 card-title">Collection Layers:&nbsp;</span>Cloud Control Plane, Container, Host </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">Contributors</span>: Center for Threat-Informed Defense (CTID) </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">Version</span>: 1.1 </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>20 October 2021 </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>14 October 2024 </div> </div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of DS0002" href="/versions/v16/datasources/DS0002/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of DS0002" href="/versions/v16/datasources/DS0002/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id="datacomponents">Data Components</h2> <div class="row no-techniques-in-data-source-message" style="display: none"> <div class="col-md-12 description-body"> <p>This data source does not have any techniques in the selected domain(s)</p> </div> </div> <div class="row"> <div class="col-md-12 section-view enterprise ics "> <a class="anchor" id="User Account Authentication"></a> <div class="section-desktop-view anchor-section"> <h4 class="pt-3">User Account: User Account Authentication</h4> <div class="description-body"> <p>An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log)</p> </div> <div class="section-shadow"></div> </div> <div class="section-mobile-view anchor-section"> <h4 class="pt-3">User Account: User Account Authentication</h4> <div class="section-shadow"></div> </div> <div class="section-mobile-view"> <div class="description-body"> <p>An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log)</p> </div> </div> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1119">T1119</a> </td> <td> <a href="/techniques/T1119">Automated Collection</a> </td> <td> <p>Monitor Azure AD (Entra ID) Sign In logs for suspicious Applications authenticating to the Graph API or other sensitive Resources using User Agents attributed to scripting interpreters such as python or Powershell.</p><p>Analytic 1 - Suspicious applications, unusual user agents (e.g., python, PowerShell), anomalous IP addresses, and unmanaged devices</p><p><code> index="azure_ad_signin_logs" Operation="UserLogin"| search UserAgent="<em>python</em>" OR UserAgent="<em>PowerShell</em>"| stats count by ClientIP, UserId, DeviceProperties| where ClientIP!="expected_ip" OR DeviceProperties!="expected_properties"</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1110">T1110</a> </td> <td> <a href="/techniques/T1110">Brute Force</a> </td> <td> <p>Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network.</p><p>Analytic 1 - Multiple failed logon attempts across different accounts.</p><p><code> (index=security sourcetype="WinEventLog:Security" EventCode IN (4625, 5379))OR (index=security sourcetype="linux_secure" message="Failed password")OR (index=security sourcetype="macos_secure" message="Failed to authenticate user")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1110/001">.001</a> </td> <td> <a href="/techniques/T1110/001">Password Guessing</a> </td> <td> <p>Monitor for many failed authentication attempts across various accounts that may result from password guessing attempts.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Pany, D. & Hanley, C. (2023, May 3). Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations. Retrieved October 16, 2023."data-reference="Mandiant Cloudy Logs 2023">^{<a href="https://www.mandiant.com/resources/blog/cloud-bad-log-configurations" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p><p>Analytic 1 - Multiple failed logon attempts across different accounts.</p><p><code> (index=security sourcetype="WinEventLog:Security" EventCode IN (4625, 5379)) OR(index=os sourcetype="linux_secure" message="Failed password") OR(index=os sourcetype="macos_secure" message="Failed to authenticate user")</code> </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1110/002">.002</a> </td> <td> <a href="/techniques/T1110/002">Password Cracking</a> </td> <td> <p>Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. (ex: Windows EID 4625 or 5379)</p><p>Analytic 1 - Multiple failed logon attempts across different accounts.</p><p><code> (index=security sourcetype="WinEventLog:Security" EventCode IN (4625, 5379)) OR(index=os sourcetype="linux_secure" message="Failed password") OR(index=os sourcetype="macos_secure" message="Failed to authenticate user")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1110/003">.003</a> </td> <td> <a href="/techniques/T1110/003">Password Spraying</a> </td> <td> <p>Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Pany, D. & Hanley, C. (2023, May 3). Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations. Retrieved October 16, 2023."data-reference="Mandiant Cloudy Logs 2023">^{<a href="https://www.mandiant.com/resources/blog/cloud-bad-log-configurations" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p><p>Analytic 1 - Multiple failed logon attempts across different accounts, especially targeting common usernames.</p><p><code> (index=security sourcetype="WinEventLog:Security" EventCode IN (4625, 5379)) OR(index=os sourcetype="linux_secure" message="Failed password") OR(index=os sourcetype="macos_secure" message="Failed to authenticate user")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1110/004">.004</a> </td> <td> <a href="/techniques/T1110/004">Credential Stuffing</a> </td> <td> <p>Monitor for many failed authentication attempts across various accounts that may result from credential stuffing attempts.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Pany, D. & Hanley, C. (2023, May 3). Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations. Retrieved October 16, 2023."data-reference="Mandiant Cloudy Logs 2023">^{<a href="https://www.mandiant.com/resources/blog/cloud-bad-log-configurations" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p><p>Analytic 1 - Multiple failed logon attempts across different accounts, especially using commonly used passwords.</p><p><code> (index=security sourcetype="WinEventLog:Security" EventCode IN (4625, 5379)) OR(index=os sourcetype="linux_secure" message="Failed password") OR(index=os sourcetype="macos_secure" message="Failed to authenticate user") | where match(Password, "(?i)(Password123|Password1|123456|12345678|qwerty|abc123|letmein|welcome|monkey|admin|login|pass|guest|root)")</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1538">T1538</a> </td> <td> <a href="/techniques/T1538">Cloud Service Dashboard</a> </td> <td> <p>Correlate other security systems with login information, such as user accounts, IP addresses, and login names.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Pany, D. & Hanley, C. (2023, May 3). Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations. Retrieved October 16, 2023."data-reference="Mandiant Cloudy Logs 2023">^{<a href="https://www.mandiant.com/resources/blog/cloud-bad-log-configurations" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1212">T1212</a> </td> <td> <a href="/techniques/T1212">Exploitation for Credential Access</a> </td> <td> <p>Credential resources obtained through exploitation may be detectable in use if they are not normally used or seen.</p><p>Analytic 1 - High number of failed authentication attempts or unusual logon patterns.</p><p><code> (index=security sourcetype="WinEventLog:Security" EventCode IN (4625, 4648)) OR (index=os sourcetype="linux_secure" message="Failed password") OR (index=os sourcetype="macos_secure" message="Failed to authenticate user")</code></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1606">T1606</a> </td> <td> <a href="/techniques/T1606/002">.002</a> </td> <td> <a href="/techniques/T1606">Forge Web Credentials</a>: <a href="/techniques/T1606/002">SAML Tokens</a> </td> <td> <p>Monitor for user authentication attempts, when requesting access tokens to services, that failed because of Conditional Access Policies (CAP). Some SAML tokens features, such as the location of a user, may not be as easy to claim.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1070">T1070</a> </td> <td> <a href="/techniques/T1070">Indicator Removal</a> </td> <td> <p>Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1070/003">.003</a> </td> <td> <a href="/techniques/T1070/003">Clear Command History</a> </td> <td> <p>Monitor for an attempts by a user to gain access to a network or computing resource, often by providing credentials via remote terminal services, that do not have a corresponding entry in a command history file.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1070/005">.005</a> </td> <td> <a href="/techniques/T1070/005">Network Share Connection Removal</a> </td> <td> <p>Monitoring for Windows authentication logs are also useful in determining when authenticated network shares are established and by which account, and can be used to correlate network share activity to other events to investigate potentially malicious activity.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1556">T1556</a> </td> <td> <a href="/techniques/T1556">Modify Authentication Process</a> </td> <td> <p>Monitor for account authentications in which MFA credentials are not provided by the user account to the authenticating entity.</p><p>Analytic 1 - Windows Successful logons without MFA.</p><p><code>index=your_index sourcetype="WinEventLog:Security" EventCode=4624 | eval MFA_used=if(searchmatch("MFA"), "Yes", "No")| where MFA_used="No"| stats count by Account_Name, Logon_Type, IpAddress, ComputerName </code></p><p>Analytic 2 - Linux Successful logons without MFA.</p><p><code>index=your_index sourcetype="linux_secure" OR sourcetype="macos_auth" "Accepted password" | eval MFA_used=if(searchmatch("MFA"), "Yes", "No")| where MFA_used="No"| stats count by user, src_ip, host</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1556/006">.006</a> </td> <td> <a href="/techniques/T1556/006">Multi-Factor Authentication</a> </td> <td> <p>Monitor for account authentications in which MFA credentials are not provided by the user account to the authenticating entity. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1621">T1621</a> </td> <td> <a href="/techniques/T1621">Multi-Factor Authentication Request Generation</a> </td> <td> <p>Monitor user account logs for suspicious events: unusual login attempt source location, mismatch in location of login attempt and smart device receiving 2FA/MFA request prompts, and high volume of repeated login attempts, all of which may indicate user's primary credentials have been compromised minus 2FA/MFA mechanism.</p><p>Analytic 1 - Anomalous IP addresses, unmanaged devices, unusual User Agents indicating automation tools or scripts, high failure rates</p><p><code> index="m365_audit_logs" Operation="UserLoginFailed" ErrorNumber="500121"| stats count by ClientIP, UserId, DeviceProperties| where ClientIP!="expected_ip" OR DeviceProperties!="expected_properties"</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1207">T1207</a> </td> <td> <a href="/techniques/T1207">Rogue Domain Controller</a> </td> <td> <p>Investigate usage of Kerberos Service Principal Names (SPNs), especially those associated with services (beginning with "GC/") by computers not present in the DC organizational unit (OU). The SPN associated with the Directory Replication Service (DRS) Remote Protocol interface (GUID E3514235–4B06–11D1-AB04–00C04FC2DCD2) can be set without logging.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Lucand,G. (2018, February 18). Detect DCShadow, impossible?. Retrieved March 30, 2018."data-reference="ADDSecurity DCShadow Feb 2018">^{<a href="https://adds-security.blogspot.fr/2018/02/detecter-dcshadow-impossible.html" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span> A rogue DC must authenticate as a service using these two SPNs for the replication process to successfully complete.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1552">T1552</a> </td> <td> <a href="/techniques/T1552">Unsecured Credentials</a> </td> <td> <p>Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may search compromised systems to find and obtain insecurely stored credentials.</p><p>Analytic 1 - Failed or unusual logon attempts using compromised credentials.</p><p><code>(index=security sourcetype="WinEventLog:Security" EventCode IN (4625, 4648)) OR(index=os sourcetype="linux_secure" message="Failed password" OR message="Invalid user") OR(index=os sourcetype="macos_secure" event_type="authentication_failure" OR message="Failed to authenticate user") </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1552/005">.005</a> </td> <td> <a href="/techniques/T1552/005">Cloud Instance Metadata API</a> </td> <td> <p>It may be possible to detect adversary use of credentials they have obtained such as in <a href="/techniques/T1078">Valid Accounts</a>.</p><p>Analytic 1 - Failed or unusual logon attempts using compromised credentials.</p><p><code> index=security sourcetype="aws:cloudtrail" eventName="ConsoleLogin" (errorMessage="Failed authentication" OR errorMessage="Invalid login attempt") ORindex=security sourcetype="azure:activity" operationName="Sign-in activity" (status="Failed" OR status="Error") ORindex=security sourcetype="gcp:activity" protoPayload.methodName="google.iam.v1.logging.GetPolicy" (protoPayload.status.message="Failed" OR protoPayload.status.message="Invalid login attempt")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1552/007">.007</a> </td> <td> <a href="/techniques/T1552/007">Container API</a> </td> <td> <p>It may be possible to detect adversary use of credentials they have obtained such as in <a href="/techniques/T1078">Valid Accounts</a>.</p><p>Analytic 1 - Failed or unusual logon attempts using compromised credentials.</p><p><code> (index=containers sourcetype="docker:events" action="create" container_name="<em>" user!="root") OR(index=containers sourcetype="kubernetes:api" verb IN ("create", "patch", "delete") objectRef.resource IN ("pods", "secrets") user.username!="system:serviceaccount:</em>")</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1550">T1550</a> </td> <td> <a href="/techniques/T1550">Use Alternate Authentication Material</a> </td> <td> <p>Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1550/002">.002</a> </td> <td> <a href="/techniques/T1550/002">Pass the Hash</a> </td> <td> <p>Monitor for user authentication attempts. From a classic Pass-The-Hash perspective, this technique uses a hash through the NTLMv1 / NTLMv2 protocol to authenticate against a compromised endpoint. This technique does not touch Kerberos. Therefore, NTLM LogonType 3 authentications that are not associated to a domain login and are not anonymous logins are suspicious. From an Over-Pass-The-Hash perspective, an adversary wants to exchange the hash for a Kerberos authentication ticket (TGT). One way to do this is by creating a sacrificial logon session with dummy credentials (LogonType 9) and then inject the hash into that session which triggers the Kerberos authentication process.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1550/003">.003</a> </td> <td> <a href="/techniques/T1550/003">Pass the Ticket</a> </td> <td> <p>Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1078">T1078</a> </td> <td> <a href="/techniques/T1078">Valid Accounts</a> </td> <td> <p>Monitor for an attempt by a user that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1078/001">.001</a> </td> <td> <a href="/techniques/T1078/001">Default Accounts</a> </td> <td> <p>Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1078/002">.002</a> </td> <td> <a href="/techniques/T1078/002">Domain Accounts</a> </td> <td> <p>Monitor for an attempt by a user to gain access to a network or computing resource, often by the use of domain authentication services, such as the System Security Services Daemon (sssd) on Linux</p><p>Note:</p><ul><li>For Windows, Security Logs events, including Event ID 4624, can be monitored to track user login behavior.</li><li>For Linux, auditing frameworks that support File Integrity Monitoring (FIM), including the audit daemon (auditd), can be used to alert on changes to files that store login information. These files include: <code>/etc/login.defs</code>,<code> /etc/securetty</code>,<code> /var/log/faillog</code>,<code> /var/log/lastlog</code>,<code> /var/log/tallylog</code>.</li><li>For MacOS, auditing frameworks that support capturing information on user logins, such as OSQuery, can be used to audit user account logins and authentications. </li></ul> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1078/003">.003</a> </td> <td> <a href="/techniques/T1078/003">Local Accounts</a> </td> <td> <p>Monitor for an attempt by a user to gain access to a network or computing resource, often by the use of domain authentication services, such as the System Security Services Daemon (sssd) on Linux.</p><p>Notes: For Linux, auditing frameworks such as the audit daemon (auditd) can be used to alert on changes to log files that track authentication attempts, including <code>/var/log/secure</code>.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1078/004">.004</a> </td> <td> <a href="/techniques/T1078/004">Cloud Accounts</a> </td> <td> <p>Monitor the activity of cloud accounts to detect abnormal or malicious behavior, such as accessing information outside of the normal function of the account, account usage at atypical hours, or account authentication from unexpected locations or IP addresses. Service accounts should only be accessible from IP addresses from within the cloud environment.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials: Case Studies From the Wild. Retrieved March 9, 2023."data-reference="Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022">^{<a href="https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span> For example, in Azure AD environments, consider using Identity Protection to flag risky sign-ins based on location, device compliance, and other factors. In Okta environments, configure Suspicious Activity Reporting to allow users to report suspicious logins and other behavior they do not recognize.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved March 4, 2024."data-reference="Okta Cross-Tenant Impersonation">^{<a href="https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span></p><p>Analytic 1 - Anomalous IP addresses, unmanaged devices, unusual User Agents indicating automation tools or scripts</p><p>Note: To detect suspicious logins to cloud accounts using valid credentials from unusual sources.</p><p><code> "`index=""m365_audit_logs"" Operation=""UserLoggedIn"" ResultStatus=""Success""| stats count by ClientIP, UserId, DeviceProperties| where ClientIP!=""expected_ip"" OR DeviceProperties!=""expected_properties"""</code></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0859">T0859</a> </td> <td> <a href="/techniques/T0859">Valid Accounts</a> </td> <td> <p>Monitor for an authentication attempt by a user that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.</p> </td> </tr> </tbody> </table> </div> </div> <div class="col-md-12 section-view enterprise "> <a class="anchor" id="User Account Creation"></a> <div class="section-desktop-view anchor-section"> <h4 class="pt-3">User Account: User Account Creation</h4> <div class="description-body"> <p>Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs)</p> </div> <div class="section-shadow"></div> </div> <div class="section-mobile-view anchor-section"> <h4 class="pt-3">User Account: User Account Creation</h4> <div class="section-shadow"></div> </div> <div class="section-mobile-view"> <div class="description-body"> <p>Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs)</p> </div> </div> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1136">T1136</a> </td> <td> <a href="/techniques/T1136">Create Account</a> </td> <td> <p>Monitor for newly constructed user accounts through account audits to detect suspicious accounts that may have been created by an adversary. Collect data on account creation within a network or Windows Event ID 4720 (for when a user account is created on a Windows system and domain controller).</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1136/001">.001</a> </td> <td> <a href="/techniques/T1136/001">Local Account</a> </td> <td> <p>Monitor for newly constructed user and service accounts through account audits to detect suspicious accounts that may have been created by an adversary. Collect data on account creation within a network, a Kubernetes cluster, or Windows Event ID 4720 (for when a user account is created on a Windows system and domain controller).</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1136/002">.002</a> </td> <td> <a href="/techniques/T1136/002">Domain Account</a> </td> <td> <p>Monitor for newly constructed user accounts through account audits to detect suspicious accounts that may have been created by an adversary. Collect data on account creation within a network or Windows Event ID 4720 (for when a user account is created on a Windows system and domain controller).</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1136/003">.003</a> </td> <td> <a href="/techniques/T1136/003">Cloud Account</a> </td> <td> <p>Monitor for newly constructed user accounts through the collection of usage logs from cloud user and administrator accounts to identify unusual activity in the creation of new accounts, such as accounts that do not follow specified naming conventions or accounts created by unapproved users or sources.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Microsoft . (2022, September 16). Azure Active Directory security operations guide. Retrieved February 21, 2023."data-reference="Microsoft Azure Active Directory security operations guide">^{<a href="https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-introduction" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span> Monitor for newly created admin accounts that go over a certain threshold of known admins.</p><p>Analytic 1 - Unusual ActorPrincipalNames, creation of accounts with suspicious properties</p><p><code> index="azure_ad_audit_logs" Category="UserManagement" Activity="Add user"| search ActorPrincipalName="*" AND IPAddress!="expected_ip"| table Time, ActorPrincipalName, IPAddress, Target1UserPrincipalName, Target1DisplayName</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1564">T1564</a> </td> <td> <a href="/techniques/T1564">Hide Artifacts</a> </td> <td> <p>Monitor for newly constructed user accounts that may attempt to hide artifacts associated with their behaviors to evade detection.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1564/002">.002</a> </td> <td> <a href="/techniques/T1564/002">Hidden Users</a> </td> <td> <p>Monitor for newly constructed user accounts, such as userIDs under 500 on macOS, that may mask the presence of user accounts they create or modify.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1036">T1036</a> </td> <td> <a href="/techniques/T1036">Masquerading</a> </td> <td> <p>Monitor for newly constructed accounts with names that are unusually generic or identical to recently-deleted accounts.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1036/010">.010</a> </td> <td> <a href="/techniques/T1036/010">Masquerade Account Name</a> </td> <td> <p>Monitor for newly constructed accounts with names that are unusually generic or identical to recently-deleted accounts.</p> </td> </tr> </tbody> </table> </div> </div> <div class="col-md-12 section-view enterprise "> <a class="anchor" id="User Account Deletion"></a> <div class="section-desktop-view anchor-section"> <h4 class="pt-3">User Account: User Account Deletion</h4> <div class="description-body"> <p>Removal of an account (ex: Windows EID 4726 or /var/log access/authentication logs)</p> </div> <div class="section-shadow"></div> </div> <div class="section-mobile-view anchor-section"> <h4 class="pt-3">User Account: User Account Deletion</h4> <div class="section-shadow"></div> </div> <div class="section-mobile-view"> <div class="description-body"> <p>Removal of an account (ex: Windows EID 4726 or /var/log access/authentication logs)</p> </div> </div> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1531">T1531</a> </td> <td> <a href="/techniques/T1531">Account Access Removal</a> </td> <td> <p>Monitor for unexpected deletions of user accounts. Windows event logs may designate activity associated with an adversary's attempt to remove an account (ex: Event ID 4726 - A user account was deleted).</p><p>Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1070">T1070</a> </td> <td> <a href="/techniques/T1070">Indicator Removal</a> </td> <td> <p>Monitor for unexpected deletions of user accounts. Windows event logs may highlight activity associated with an adversary's attempt to remove an account (e.g., <code>Event ID 4726 - A user account was deleted</code>).</p><p>Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate account modification events with other indications of malicious activity where possible.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1070/009">.009</a> </td> <td> <a href="/techniques/T1070/009">Clear Persistence</a> </td> <td> <p>Monitor for unexpected deletions of user accounts. Windows event logs may highlight activity associated with an adversary's attempt to remove an account (e.g., <code>Event ID 4726 - A user account was deleted</code>).</p><p>Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate account modification events with other indications of malicious activity where possible.</p> </td> </tr> </tbody> </table> </div> </div> <div class="col-md-12 section-view enterprise "> <a class="anchor" id="User Account Metadata"></a> <div class="section-desktop-view anchor-section"> <h4 class="pt-3">User Account: User Account Metadata</h4> <div class="description-body"> <p>Contextual data about an account, which may include a username, user ID, environmental data, etc.</p> </div> <div class="section-shadow"></div> </div> <div class="section-mobile-view anchor-section"> <h4 class="pt-3">User Account: User Account Metadata</h4> <div class="section-shadow"></div> </div> <div class="section-mobile-view"> <div class="description-body"> <p>Contextual data about an account, which may include a username, user ID, environmental data, etc.</p> </div> </div> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1134">T1134</a> </td> <td> <a href="/techniques/T1134">Access Token Manipulation</a> </td> <td> <p>Monitor for contextual data about an account, which may include a username, user ID, environmental data, etc. that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1134/005">.005</a> </td> <td> <a href="/techniques/T1134/005">SID-History Injection</a> </td> <td> <p>Examine data in user’s SID-History attributes</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1564">T1564</a> </td> <td> <a href="/techniques/T1564">Hide Artifacts</a> </td> <td> <p>Monitor for contextual data about an account, which may include a username, user ID, environmental data that may attempt to hide artifacts associated with their behaviors to evade detection.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1564/002">.002</a> </td> <td> <a href="/techniques/T1564/002">Hidden Users</a> </td> <td> <p>Monitor for contextual data about an account, which may include a username, user ID, environmental data that may mask the presence of user accounts they create or modify. On macOS, identify users with an userID under 500 and the <code>Hide500Users</code> key value in the <code>/Library/Preferences/com.apple.loginwindow</code> plist file set to <code>TRUE</code>.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved December 10, 2021."data-reference="Cybereason OSX Pirrit">^{<a href="https://cdn2.hubspot.net/hubfs/3354902/Content%20PDFs/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1556">T1556</a> </td> <td> <a href="/techniques/T1556/005">.005</a> </td> <td> <a href="/techniques/T1556">Modify Authentication Process</a>: <a href="/techniques/T1556/005">Reversible Encryption</a> </td> <td> <p>Monitor Fine-Grained Password Policies and regularly audit user accounts and group settings.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021."data-reference="dump_pwd_dcsync">^{<a href="https://adsecurity.org/?p=2053" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1201">T1201</a> </td> <td> <a href="/techniques/T1201">Password Policy Discovery</a> </td> <td> <p>Monitor for contextual data about an account that may attempt to access detailed information about the password policy used within an enterprise network or cloud environment.</p> </td> </tr> </tbody> </table> </div> </div> <div class="col-md-12 section-view enterprise "> <a class="anchor" id="User Account Modification"></a> <div class="section-desktop-view anchor-section"> <h4 class="pt-3">User Account: User Account Modification</h4> <div class="description-body"> <p>Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)</p> </div> <div class="section-shadow"></div> </div> <div class="section-mobile-view anchor-section"> <h4 class="pt-3">User Account: User Account Modification</h4> <div class="section-shadow"></div> </div> <div class="section-mobile-view"> <div class="description-body"> <p>Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)</p> </div> </div> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1548">T1548</a> </td> <td> <a href="/techniques/T1548">Abuse Elevation Control Mechanism</a> </td> <td> <p>Log cloud API calls to assume, create, or impersonate additional roles, policies, and permissions. Review uses of just-in-time access to ensure that any justifications provided are valid and only expected actions were taken.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1548/005">.005</a> </td> <td> <a href="/techniques/T1548/005">Temporary Elevated Cloud Access</a> </td> <td> <p>Log API calls to assume, create, or impersonate additional roles, policies, and permissions. Review uses of just-in-time access to ensure that any justifications provided are valid and only expected actions were taken.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1531">T1531</a> </td> <td> <a href="/techniques/T1531">Account Access Removal</a> </td> <td> <p>Monitor for changes made to user accounts for unexpected modification of properties, such as passwords or status (enabled/disabled). Windows event logs may designate activity associated with an adversary's attempt to remove access to an account:Event ID 4723 - An attempt was made to change an account's passwordEvent ID 4724 - An attempt was made to reset an account's passwordEvent ID 4725 - A user account was disabled</p><p>Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1098">T1098</a> </td> <td> <a href="/techniques/T1098">Account Manipulation</a> </td> <td> <p>Monitor events for changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670. Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ or that include additional flags such as changing a password without knowledge of the old password.</p><p>Monitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1098/001">.001</a> </td> <td> <a href="/techniques/T1098/001">Additional Cloud Credentials</a> </td> <td> <p>Monitor for unexpected changes to cloud user accounts, such as Azure Activity Logs highlighting malicious Service Principal and Application modifications. </p><p>Monitor for the use of API and CLI commands that add passwords, access keys, or tokens to accounts, such as <code>CreateAccessKey</code>, <code>GetFederationToken</code>, and <code>CreateLoginProfile</code> in AWS or <code>service-accounts keys create</code> in GCP. Also monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1098/002">.002</a> </td> <td> <a href="/techniques/T1098/002">Additional Email Delegate Permissions</a> </td> <td> <p>Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions being granted to compromised accounts.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1098/003">.003</a> </td> <td> <a href="/techniques/T1098/003">Additional Cloud Roles</a> </td> <td> <p>Collect usage logs from cloud administrator accounts to identify unusual activity in the assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins. Monitor for updates to IAM policies and roles attached to user accounts.</p><p>Analytic 1 - Unusual ActorPrincipalNames, unexpected role assignments to sensitive roles (e.g., Global Admin)</p><p>Note: To detect the assignment of additional cloud roles using potentially hijacked accounts.</p><p><code> "index=""azure_ad_audit_logs"" Category=""RoleManagement"" Activity=""Add member to role""| search ActorPrincipalName=""*"" AND (Target1ModifiedProperty1NewValue=""Global Administrator"" OR Target1ModifiedProperty2NewValue=""Global Administrator"") AND IPAddress!=""expected_ip""| table Time, ActorPrincipalName, IPAddress, Target1UserPrincipalName, Target1ModifiedProperty1NewValue"</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1098/005">.005</a> </td> <td> <a href="/techniques/T1098/005">Device Registration</a> </td> <td> <p>Monitor user accounts for new and suspicious device associations, such as those originating from unusual sources, occurring at unusual times, or following a suspicious login.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Microsoft. (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved March 23, 2022."data-reference="Microsoft DEV-0537">^{<a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span> </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1098/006">.006</a> </td> <td> <a href="/techniques/T1098/006">Additional Container Cluster Roles</a> </td> <td> <p>Collect usage logs from accounts to identify unusual activity in the assignment of roles to those accounts. Monitor for accounts assigned to high-privileged cluster roles that go over a certain threshold of known admins. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1098/007">.007</a> </td> <td> <a href="/techniques/T1098/007">Additional Local or Domain Groups</a> </td> <td> <p>Monitor events for changes to account objects and/or permissions on systems and the domain. Monitor for modification of account permissions in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Monitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts or machine accounts being unexpectedly added into security groups. Monitor for accounts assigned to admin roles, such as Windows domain administrators, that go over a certain threshold of known admins. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1562">T1562</a> </td> <td> <a href="/techniques/T1562">Impair Defenses</a> </td> <td> <p>Monitor for changes to account settings associated with users/tenants that may impact defensive logging capabilities, such as the <code>Update User</code> and <code>Change User License</code> events in the Azure AD audit log.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Mandiant. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved January 22, 2021."data-reference="Mandiant Defend UNC2452 White Paper">^{<a href="https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/008">.008</a> </td> <td> <a href="/techniques/T1562/008">Disable or Modify Cloud Logs</a> </td> <td> <p>Monitor for changes to account settings associated with users/tenants that may impact defensive logging capabilities, such as the <code>Update User</code> and <code>Change User License</code> events in the Azure AD audit log.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Mandiant. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved January 22, 2021."data-reference="Mandiant Defend UNC2452 White Paper">^{<a href="https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1556">T1556</a> </td> <td> <a href="/techniques/T1556">Modify Authentication Process</a> </td> <td> <p>Monitor for the enrollment of devices and user accounts with alternative security settings that do not require MFA credentials for successful logon.</p><p>Analytic 1 - Unauthorized modification of user accounts Windows (User Account Modification)</p><p><code>index=your_index sourcetype="WinEventLog:Security" EventCode IN (4720, 4722, 4724, 4738, 4725, 4732, 4733, 4735, 4737) | eval Risk_Level=if(MemberName="Domain Admins" OR MemberName="Administrators", "High", "Low")| stats count by TargetUserName, AccountName, EventCode, Risk_Level, ComputerName| where Risk_Level="High"</code></p><p>Analytic 2 - macOS/Linux (User Account Modification)</p><p><code>index=your_index sourcetype="linux_secure" OR sourcetype="macos_auth" "usermod" OR "passwd" OR "chpasswd" OR "adduser" OR "deluser" OR "vipw" | stats count by user, command, src_ip, host | where command IN ("usermod", "passwd", "chpasswd", "adduser", "deluser", "vipw")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1556/006">.006</a> </td> <td> <a href="/techniques/T1556/006">Multi-Factor Authentication</a> </td> <td> <p>Monitor for the enrollment of devices and user accounts with alternative security settings that do not require MFA credentials for successful logon. Monitor for attempts to disable MFA on individual user accounts.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Pany, D. & Hanley, C. (2023, May 3). Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations. Retrieved October 16, 2023."data-reference="Mandiant Cloudy Logs 2023">^{<a href="https://www.mandiant.com/resources/blog/cloud-bad-log-configurations" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span> Additionally, monitor for attempts to change or reset users’ MFA factor settings. For example, in Okta environments, the event <code>user.mfa.factor.reset_all</code> will trigger when all MFA factors are reset for a user. <span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved March 4, 2024."data-reference="Okta Cross-Tenant Impersonation">^{<a href="https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span> </p><p>Analytic 1 - Unusual registration of MFA devices, changes to StrongAuthenticationPhoneAppDetail properties.</p><p><code>index="m365_audit_logs" Workload="AzureActiveDirectory" Operation="Update user" Actor="Azure MFA StrongAuthenticationService"| search ObjectId!="expected_user_id"| table CreationTime, Actor, ObjectId, IPAddress, ModifiedProperties </code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1528">T1528</a> </td> <td> <a href="/techniques/T1528">Steal Application Access Token</a> </td> <td> <p>Administrators should set up monitoring to trigger automatic alerts when policy criteria are met. For example, using a Cloud Access Security Broker (CASB), admins can create a "High severity app permissions" policy that generates alerts if apps request high severity permissions or send permissions requests for too many users.</p><p>Security analysts can hunt for malicious apps using the tools available in their CASB, identity provider, or resource provider (depending on platform.) For example, they can filter for apps that are authorized by a small number of users, apps requesting high risk permissions, permissions incongruous with the app’s purpose, or apps with old "Last authorized" fields. A specific app can be investigated using an activity log displaying activities the app has performed, although some activities may be mis-logged as being performed by the user. App stores can be useful resources to further investigate suspicious apps.</p><p>Administrators can set up a variety of logs and leverage audit tools to monitor actions that can be conducted as a result of OAuth 2.0 access. For instance, audit reports enable admins to identify privilege escalation actions such as role creations or policy modifications, which could be actions performed after initial access.</p><p>Analytic 1 - Unauthorized app permissions or unusual activity patterns in app logs.</p><p><code>(index=security sourcetype="WinEventLog:Security" EventCode=4720 OR EventCode=4722 OR EventCode=4738) OR(index=azuread sourcetype="azure:activity" operationName IN ("Add member to role", "Update user", "Update group")) OR(index=gsuite sourcetype="gsuite:admin" event_type IN ("UPDATE_USER", "ADD_USER_TO_GROUP")) OR(index=o365 sourcetype="o365:management:activity" operation IN ("Add member to role", "Update user", "Update group")) </code></p> </td> </tr> </tbody> </table> </div> </div> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://www.mandiant.com/resources/blog/cloud-bad-log-configurations" target="_blank"> Pany, D. & Hanley, C. (2023, May 3). Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations. Retrieved October 16, 2023. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://adds-security.blogspot.fr/2018/02/detecter-dcshadow-impossible.html" target="_blank"> Lucand,G. (2018, February 18). Detect DCShadow, impossible?. Retrieved March 30, 2018. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/" target="_blank"> Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials: Case Studies From the Wild. Retrieved March 9, 2023. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection" target="_blank"> Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved March 4, 2024. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-introduction" target="_blank"> Microsoft . (2022, September 16). Azure Active Directory security operations guide. Retrieved February 21, 2023. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="6.0"> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://cdn2.hubspot.net/hubfs/3354902/Content%20PDFs/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf" target="_blank"> Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved December 10, 2021. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://adsecurity.org/?p=2053" target="_blank"> Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank"> Microsoft. (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved March 23, 2022. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452" target="_blank"> Mandiant. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved January 22, 2021. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v16.1&#013;Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> &copy;&nbsp;2015&nbsp;-&nbsp;2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/filter/filter.js?7315"></script> <script src="/theme/scripts/navigation.js"></script> <script src="/theme/scripts/mobileview-datasources.js"></script> <script src="/theme/scripts/bootstrap-tourist.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/tour/tour-relationships.js"></script> </body> </html>